
Calhoun 

iniutuiiaiul AKliiv« ou tfit Nilvdl Poi($ra{jua(« School 


Calhoun: The NPS Institutional Archive 
DSpace Repository 



Theses and Dissertations 


1. Thesis and Dissertation Collection, all items 


1994-03 

A comparison of high-end video 
teleconference alternatives for the 
Department of Defense 

LeCounte, James A. 

Monterey, California. Naval Postgraduate School 


http://hdl.handle.net/10945/28045 


Downloaded from NPS Archive: Calhoun 



DUDLEY 

KNOX 

LIBRARY 


http://www.nps.edu/ljbrary 


CsMwun is the Neval Postgraduate School's public access distal repository for 
research oiateriels and tnstitutiooal pubfications created by the NPS community. 
Cathouni is named for Professor of Mathematics Guy K. CatHiuo, NPS's first 
appointed — and publi^d — scholar^ author. 

Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
MontereVr California USA 93943 




NAVAL 

POSTGRADUATE 

SCHOOL 

MONTEREY, CALIFORNIA 


THESIS 


AN ANALYSIS OF THE DoD CERTIFICATION AND 
ACCREDITATION PROCESS 

by 

James A. LeCounte 
June 2005 

Thesis Advisor: Karen Burke 

Second Reader: James F. Ehlert 


Approved for public release; distribution is unlimited 




THIS PAGE INTENTIONALLY LEFT BLANK 



REPORT DOCUMENTATION PAGE 


FormApprvvedOMBNo^0704-01^^^ 
Public reporting burden for this collection of information is estimated to average 1 hour per response, including 
the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and 
completing and reviewing the collection of information. Send comments regarding this burden estimate or any 
other aspect of this collection of information, including suggestions for reducing this burden, to Washington 
headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 
1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project 
(0704-0188) Washington DC 20503. __ 

I. AGENCY USE ONLY 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED 

_ June 2005 _ Master’s Thesis _ 

4. TITLE AND SUBTITLE: An Analysis of the DoD Certification and 5. FUNDING NUMBERS 
Accreditation Process _ 

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING 

Naval Postgraduate School ORGANIZATION REPORT 

Monterey, CA 93943-5000 NUMBER 

9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING 
N/A AGENCY REPORT NUMBER 

II. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official 

policy or position of the Department of Defense or the U.S. Government. _ 

12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 

Approved for public release; distribution is unlimited _ 

13. ABSTRACT (maximum 200 words) 

The Department of Defense (DoD) current strategic vision is to ensure that information superiority is 
maintained across the full spectrum of operations. Hence, one of the greatest challenges facing this vision is to 
secure the information infrastructure. Protection of the infrastructure entails the standoff of a myriad of attacks and 
malicious activity such as denial-of-service, viruses and Trojan horses. A daunting challenge in itself, protection 
of the infrastructure succeeds only with a strong policy, process, and standard. The current process used to ensure 
protection is the DoD Information Technology Security Certification and Accreditation Process). It is currently 
being revised to the DoD Information Assurance Certification and Accreditation Process (DIACAP). 

This thesis analyzes current and past applications of the DITSCAP to evaluate successes and failures. 
Due to the large number of personnel who use the process and the astronomical cost associated with traveling to 
each of their connnands, the method selected to obtain data for analysis was a survey and phone interviews. The 
survey was web-based and the link was emailed to personnel who use the process. 

The objective of this thesis is to provide reconnnendations for improving the process that should be 
considered in developing the DIACAP. _ 

14. SUBJECT TERMS: DITSCAP, DIACAP, Certification and Accreditation 15. NUMBER OF 

PAGES 

77 

16. PRICE CODE 

INSECURITY 18. SECURITY 19. SECURITY 20. LIMITATION 

CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF OF ABSTRACT 

REPORT PAGE ABSTRACT 

_ Unclassified _ Unclassified _ Unclassified __ 

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) 

Prescribed by ANSI Std. 239-18 


1 




























THIS PAGE INTENTIONALLY LEFT BLANK 


11 



Approved for public release; distribution is unlimited 


AN ANALYSIS OF THE DoD CERTIFICATION AND ACCREDITATION 

PROCESS 

James A. LeCounte 
Lieutenant, United States Navy 
B.S., Savannah State University, 1997 


Submitted in partial fulfillment of the 
requirements for the degree of 


MASTER OF SCIENCE IN INFORMATION TECHNOLOGY MANAGEMENT 


from the 


NAVAL POSTGRADUATE SCHOOL 
June 2005 


Author: 


James LeCounte 


Approved by: Karen Burke 

Thesis Advisor 


James F. Ehlert 
Second Reader 


Dan C. Boger 

Chairman, Department of Information Sciences 



THIS PAGE INTENTIONALLY LEFT BLANK 


IV 



ABSTRACT 


The Department of Defense (DoD) current strategic vision is to ensure that 
information superiority is maintained across the full spectrum of operations. Hence, one 
of the greatest challenges facing this vision is to secure the information infrastructure. 
Protection of the infrastructure entails the standoff of a myriad of attacks and malicious 
activity such as denial-of-service, viruses and Trojan horses. A daunting challenge in 
itself, protection of the infrastructure succeeds only with a strong policy, process, and 
standard. The current process used to ensure protection is the DoD Information 
Technology Security Certification and Accreditation Process (DITSCAP). It is currently 
being revised to the DoD Information Assurance Certification and Accreditation Process 
(DIACAP). 

This thesis analyzes current and past applications of the DITSCAP to evaluate 
successes and failures. Due to the large number of personnel who use the process and the 
astronomical cost associated with traveling to each of their commands, the method 
selected to obtain data for analysis was a survey and phone interviews. The survey was 
web-based and the link was emailed to personnel who use the process. 

The objective of this thesis is to provide recommendations for improving the 
process that should be considered in developing the DIACAP. 


V 



THIS PAGE INTENTIONALLY LEFT BLANK 


VI 



TABLE OF CONTENTS 


I. INTRODUCTION.1 

A. CURRENT ENVIRONMENT.1 

B. DOD’S CERTIFICATION AND ACCREDITATION PROTOCOL.2 

C. RESEARCH QUESTIONS.4 

1. Primary.4 

2. Secondary.4 

D. SCOPE OF RESEARCH.4 

E. METHODOLOGY.4 

II. BACKGROUND.7 

A. INTRODUCTION.7 

B. INFORMATION ASSURANCE AND THE DII.7 

C. C&A AND POLICY.9 

1. DoD Directive 5200.28.9 

2. Public Law 100-235.10 

3. OMB Circular A-130 (Appendix III).10 

4. DoD Directive 5220 and DCID 1/16.11 

D. DEFINITIONS.11 

E. THE CERTIFICATION AND ACCREDITATION PROCESS.11 

1. Phase 1: DeBnition.11 

2. Phase 2: Verification.12 

3. Phase 3: Validation.13 

4. Phase 4: Post Accreditation.14 

F. KEY ROLES.15 

G. SUMMARY.17 

III. THE DITSCAP AS A PROCESS.19 

A. INTRODUCTION.19 

B. FRAMEWORK.19 

C. GOALS.20 

1. Measurable.20 

2. Realistic.20 

3. Clear and Specific.21 

4. Mutually Understood.21 

D. PROCESS MANAGEMENT.21 

E. SUMMARY.22 

IV. STUDY RESULTS.23 

A. STUDY METHODOLOGY.23 

B. DEMOGRAPHICS.24 

C. DEMOGRAPHIC ANALYSIS.27 

D. EXPERIENCE ANALYSIS.27 

E. THEME 1: INSUFFICIENT RESOURCES.27 

vii 











































1. Problem.27 

2. Solution.31 

F. THEME 2: LACK OE LEADERSHIP.32 

1. Problem.32 

2. Solution.33 

G. THEME 3: REDUNDANT DOCUMENTATION.33 

1. Problem.33 

2. Solution.33 

H. THEME 4: INEFEECTIVE TRAINING.35 

1. Problem.35 

2. Solution.38 

L CONSOLIDATED SOLUTION.38 

J. SUMMARY.40 

V. CONCLUSION.41 

A. LIMITATIONS OF RESEARCH.41 

B. AREAS OE FUTURE RESEARCH.42 

APPENDIX. SURVEY QUESTIONS.45 

LIST OF REFERENCES.53 

INITIAL DISTRIBUTION LIST.57 


viii 






















LIST OF FIGURES 


Figure 1. Information Infrastructure [From: 8].8 

Figure 2. Phase 1 Task, Activities, and Inputs Diagram [From: 8].12 

Figure 3. Diagram of Phase 2 Task, Activities, and Inputs [From: 8].13 

Figure 4. Diagram of Phase 3 Task, Activities, and Inputs [From: 8].14 

Figure 5. Diagram of Phase 4 Task, Activities, and Inputs [From: 8].15 

Figure 6. Branch of Service.25 

Figure 7. Years of Experience.26 

Figure 8. Systems Certified and Accredited.26 

Figure 9. Cost as a Factor in Authorizing the System for Use.29 

Figure 10. Usage of Tools in Certifying and Accrediting Systems.30 

Figure 11. Relationship between DITSCAP Documents [From: 27].34 

Figure 12. TCS Interpretation of Documents [From: 27].35 

Figure 13. Training.36 


IX 
















THIS PAGE INTENTIONALLY LEFT BLANK 


X 



LIST OF TABLES 


Table 1. Management Responsibilities by DITSCAP Phase [After: 20] 


17 


XI 




THIS PAGE INTENTIONALLY LEFT BLANK 



LIST OF ACRONYMS 


AIS 

C&A 

CA 

CT&E 

DAA 

DIACAP 

DCID 

DITSCAP 

DII 

DoD 

lA 

lAM 

lAO 

IS 

ISSM 

ISSO 

IT 

0MB 

OSD 

SSAA 

ST&E 


Automated Information System 
Certification and Accreditation 
Certifying Authority 
Certification Test and Evaluation 
Designated Approving Authority 

DoD Information Assurance Certification and Accreditation Process 
Director of Central Intelligence Directive 

DoD Information Technology Security Certification and Accreditation 
Process 

Defense Information Infrastructure 
Department of Defense 
Information Assurance 
Information Assurance Manager 
Information Assurance Officer 
Information System 
Information Systems Security Manager 
Information Systems Security Officer 
Information Technology 
Office of Management and Budget 
Office of the Secretary of Defense 
System Security Authorization Agreement 
Security Test and Evaluation 



THIS PAGE INTENTIONALLY LEFT BLANK 


XIV 



DATA DICTIONARY 


Accreditation 


Attack 

Availability 

Certification 

Certifying Authority/Certifier 

Certification Test and 
Evaluation 

Confidentiality 
Data Security 

Denial of Service 

Designated Approving 
Authority 


Formal declaration by a Designated Approving 
Authority that an information systems is approved to 
operate in a particular security mode at an acceptable 
level of risk, based on the implementation of an 
approved set of technical, managerial, and procedural 
safeguards. [1] 

Type of incident involving the intentional act of 
attempting to bypass one or more security controls of 
an information system. [1] 

Timely, reliable access to data and information services 
for authorized users. [1] 

Comprehensive evaluation of the technical and non¬ 
technical security safeguards of an information system 
to support the accreditation process that establishes the 
extent to which a particular design and implementation 
meets a set of specified security requirements. [1] 

Individual responsible for making a technical judgment 
of the system’s compliance with stated requirements, 
identifying and assessing the risks associated with 
operating the system, coordinating the certification 
activities, and consolidating the final certification and 
accreditation packages. [1] 

Software and hardware security tests conducted during 
development of an information system. [1] 

Assurance that information is not disclosed to 
unauthorized individuals, processes, or devices. [1] 

Protection of data from unauthorized (accidental or 
intentional) modification, destruction, or disclosure. [1] 

Type of incident resulting from any actions or series of 
actions that prevents any part of an information system 
from functioning. [1] 

Official with the authority to formally assume 
responsibility for operating a system at an acceptable 
level of risk. [1] 


XV 



Information System 


Interim Approval 


Penetration Testing 
Program Manager 


Security Test and Evaluation 


Tempest 


User Representative 


The entire infrastructure, organization, personnel, and 
components for the collection, processing, storage, 
transmission, display, dissemination, and disposition of 
information. [1] 

Temporary authorization granted by a DAA for an 
information system to process information based on 
preliminary results of a security evaluation of the 
system. [1] 

System testing designed to evaluate vulnerability of the 
system to hostile attacks. [1] 

The person ultimately responsible for the overall 
procurement, development, integration, modification, or 
operation and maintenance of the IT system. [2] 

Examination and analysis of the safeguards required to 
protect an information system, as they have been 
applied in an operational environment, to determine the 
security posture of that system. [1] 

Short name referring to investigation, study, and control 
of compromising emanations from IT equipment. 
Moreover, the site may be inspected to determine if 
adequate practices are being followed, and the 
equipment may be subjected to TEMPEST testing. [1] 

Individual or organization that represents the user or 
user community in the definition of information system 
requirements. [2] 


XVI 



ACKNOWLEDGMENTS 


Many people contributed in multiple ways to this thesis. I would like to extend 
my appreciation especially to the following: God for the wisdom, perseverance, and 
strength that he has been bestowed upon me. My advisors, Karen Burke and Jim Ehlert, 
for their support, guidance, and advice throughout the process. Indeed, without their 
guidance, I would not have been able to complete this thesis. LCDR Laura Barton and 
Professor Jeff Crowson for their countless hours expended in teaching me how to collect 
and to analyze statistical data. Of course, this project would not have been possible 
without the participation of the subjects. 

Last, but not least, I would like to thank my mother, Almarie Stewart Green, for 
her unconditional love and support, both financially and emotionally throughout all of my 
educational endeavors. I owe you my deepest gratitude. Your words and suggestions 
often boosted my courage and determination to write this thesis, and you will always 
have a special place in my heart. 


xvii 



THIS PAGE INTENTIONALLY LEFT BLANK 


xviii 



I. INTRODUCTION 


A. CURRENT ENVIRONMENT 

In today's globally networked environment, the Department of Defense (DoD) 
systems are increasingly vulnerable to information operations attacks. With the rapid 
advances in technology, the DoD is facing the challenge of increased threats from 
intrusion, Trojan horses, denial-of-service, and many other external attacks. 
Compounding this challenge is the exponential growth of information and technology. 
Information systems have extended to an unprecedented number of users. Use breeds 
dependence, and dependence creates vulnerabilities. Threats recognize vulnerabilities. 
Each threat undermines the DoD’s ability to safeguard the Defense Information 
Infrastructure (DII) by exploiting its weaknesses. These threats suggest that maintaining 
an acceptable level of information security has become increasingly difficult. Consider 
these statistics: 

• In 2000, the DoD detected more than 23,000 “events” or possible 
incursions on DoD unclassified computer networks compared to 225 
detected incidents in 1994 [3] 

• Successful intrusions or attacks on Navy computer systems increased from 
89 in 2000 to 125 in 2001 [3] 

• The detected number of cyber events on DoD’s Non Classified Internet 
Protocol Router Network increased dramatically from 780 events in 1992 
to 22,144 events in 1999 [4] 

• The Defense Information Systems Agency conducted a vulnerability test 
on the DoD information systems and found that 65 percent of the 
penetration tests executed were successful [5] 

• In 1995 Wright Patterson Air Force Base reported that it received 3,000 to 
4,000 attempts to access information each month from countries all around 
the world [5] 

• The “Love Bug” virus was estimated to cost over 15 billion dollars in 
damages [5] 

• In the Federal Government, the virus: 

• Damaged at least 1,000 NASA files 

• Caused the Department of Labor to expend 1600 employee 
and 1,200 contractor man hours to recover 


1 



• Caused the Social Security Administration to take 5 days to 
become fully functional and to remove the virus from their 
system 

• Computer Economics reported that the most costly virus in 2001 was 
“Code Red” and its variants, which had an estimated worldwide economic 
impact of 2.62 billion dollars. “Code Red” was labeled as a virus, but was 
actually a worm that exploited a known buffer-overflow vulnerability in 
Microsoft’s IIS web servers [6] 

• Damages caused in the DoD: 

• The White House had to change its numerical internet web 
site addresses 

• Treasury Department’s Financial Management Service had 
to be disconnected form the internet [5] 

• 530 U.S. organizations were surveyed and collectively reported that the 
losses resulting from cyber attacks in 2003 were 201.8 million dollars [7] 

These events should raise concern since information systems extend to an 
unprecedented number of users. Furthermore, one should keep in mind that this use 
breeds dependence and dependence generates vulnerabilities. 

B. DOD’S CERTIFICATION AND ACCREDITATION PROCESS 

To meet the challenges associated with mitigating these threats, the DoD 
augments additional security features within the DII and eliminates components that are 
not compliant with the security features of the infrastructure. An acceptable security level 
of the DII can be achieved with a rigid set of policies and guidance that provide an 
effective, but standardized, set of Information Assurance (lA) controls and a process for 
verifying that they have been implemented. 

The policy used to achieve an acceptable security level of the DII is outlined in 
DoD Directive 8500.1 “Information Assurance.” This policy directs information 
assurance requirements to be identified and included in the information system’s 
lifecycle. Moreover, DoD Directive 8500.1 requires that the DoD certify and accredit 
information systems by using the Department of Defense Information Technology 
Security Certification and Accreditation Process (DITSCAP). The goal is to maintain the 
security posture of the DII. 

The DITSCAP helps meet this goal by standardizing the process and providing 

detailed guidance to the DoD on how to certify and accredit its systems. The DITSCAP 

2 



is tailorable to any life cycle or program strategy and scalable to any DoD system that 
collects, stores, transmits, or processes unclassified or classified information [8]. The 
four key roles in certifying and accrediting information systems include the Designated 
Approving Authority (DAA), Certifying Authority (CA), Program Manager (PM), and 
User Representative. 

The DAA is the individual who is ultimately responsible for authorizing the 
system for use based on an acceptable level of risk. The DAA relies on the data and 
recommendations provided from the other key roles. The CA is concerned with the 
technical aspects of the system. Furthermore, the CA determines if the system complies 
with stated requirements and prepares the certification package for the DAA’s review. A 
certification package is the collection of documents that describes the security posture of 
the system, an evaluation of the risks, and recommendation for correcting deficiencies 
[9]. The PM is the “person ultimately responsible for the overall procurement, 
development, integration, modification, and operation and maintenance of the 
information system” [8]. The PM role works closely with the other key roles during the 
certification and accreditation of the system. The final role involved in the certification 
and accreditation of the system is the user representative. This person is anyone who 
represents the user community of the information system. 

These roles are not all-inclusive; there are others who support these roles and are 
involved in the Certification and Accreditation (C&A) process. This thesis includes the 
key roles and their supporters, and collectively this group will be termed “key 
participants.” Many are engaged in the discussions about the challenges associated with 
the application of the DITSCAP to information systems. Furthermore, key participants 
have long debated whether or not the DITSCAP’s standard process effectively certifies 
and accredits new systems added to the DII and maintains accreditation of the current 
ones. Therefore, the DITSCAP is currently in transition to the Department of Defense 
Information Assurance Certification and Accreditation Process (DIACAP). “The 
DIACAP will establish the standard DoD process for identifying, implementing, and 
validating information assurance controls, for authorizing the operation of the DoD 
information systems, and for managing information assurance [10].” 


3 



This thesis suggests that various alterations be made to the certification and 
accreditation process or its implementation. These alterations are based on research and 
observations of the certification and accreditation key participants. 

C. RESEARCH QUESTIONS 

1. Primary 

By analyzing past and current applications of the DITSCAP, can it be determined 
if its standards and procedures provide the means to certify and accredit information 
technology systems while maintaining the security of the DII? 

2. Secondary 

• What aspects of the DITSCAP aid or hinder the DAA, the Certifying 

Authority, User Representative, Program Manager, and Information 
Assurance Manager (IAM))/Information Assurance Officer (lAO) in 
certifying or accrediting the system? 

• What improvements should be implemented in the new DoD Information 

Assurance Certification and Accreditation Process (DIACAP) and its 
application manual? 

D. SCOPE OF RESEARCH 

The primary objective of this thesis is to identify problems with the C&A process 
as specified in the DITSCAP. This thesis also recommends solutions to these problems 
that the Office of Secretary of Defense (OSD) can use in revising the DITSCAP and its 
implementation manual. Thus an underlying objective is to augment the overall 
effectiveness of the process. To achieve these objectives, this thesis analyzes the current 
C&A process and its implementation across various information systems and various 
DoD organizations. The analysis conducts a qualitative survey of key participants 
involved in C&A. Secondly, a trend analysis is conducted on the data to determine 
successes, failures, and lesson learned. Finally, the results of this analysis are compiled 
and recommendations are made to help the OSD revise the DITSCAP and make the 
process more efficient. These reco mm endations can also be used to maximize the 
usefulness of its accompanying application manual. 

E. METHODOLOGY 

The methodology for this thesis involved producing and administering a bias-free 
survey. Naturally designing the survey in a manner that ensured objectivity was crucial. 
Thus a survey, composed of carefully selected questions was created and a wide-scale 


4 



audience was asked to participate in the survey. This allowed the participants to express 
their opinions, yet reduced the possibility of having the results slanted or misapplied. 
The methodology used for this survey entailed four stages: 

• Designing the survey 

• Conducting the survey 

• Analyzing the survey results 

• Developing the conclusions, recommendations, lessons learned, and 
implications 

The first stage involved designing a survey composed of unbiased questions that 
solicited the participant’s true experience with the key activities in the process. The 
second stage of the process involved conducting the survey, which was distributed 
electronically to C&A participants from various commands of the Army, Navy, Air 
Force, and Marines who have played a role in the certification and accreditation process. 
The third stage of the process was analyzing the survey results. To interpret the 
responses, the author used two primary references: “The Survey Research Handbook,” 
written by Alreck and Settle, and “Survey Research Methods,” written by Earl Babbie. 
This interpretation of the results consisted of examining and categorizing the evidence to 
analyze the initial propositions of this thesis. Moreover, a descriptive statistical analysis 
method was used, thus allowing for the data to be described in a manageable form. 
Inferences were made based on the data obtained. The fourth stage of the process was 
developing the conclusions, recommendations, lessons learned, and implications. 


5 



THIS PAGE INTENTIONALLY LEFT BLANK 


6 



II. BACKGROUND 


A. INTRODUCTION 

Technology changes rapidly, which enables the DoD to have more functional 
networks but which also often burdens the DII because military leaders rely on the 
infrastructure for increasing support in both peacetime and combat missions. This 
reliance emerged because of the evolution of the technology that supports a networked 
environment. When the DoD became totally networked, its “business model” changed, 
making it difficult to withdraw capabilities from people who were accustomed to relying 
on them. 

B. INFORMATION ASSURANCE AND THE DII 

In simplest form, the DII contains a series of desktops, laptops, printers, servers, 
routers, switches and other devices that are connected together via wireless or wired 
technologies, running multiple applications that together perform the mission of the DoD. 
Figure 1, though not all-inclusive, illustrates a notional infrastructure with some typical 
components of the DII. It depicts a topology and illustrates how components might be 
connected to one another. These components include the following as defined in [11]: 

• Gateway - A network point that acts as an entrance to another network 

• Server - A server is a computer program that provides services to other 
computer programs (and their users) in the same or other computers 

• Multiple Applications - Programs designed to perform different function 
directly for the user or, in some cases, for another application program 

• Shared Resources - Applications, data storage, and many more that are 
shared by multiple computer users 

• Local Area Network (LAN) - A local area network (LAN) is a group of 
computers and associated devices that share a common communications 
line or wireless link and typically share the resources of a single processor 
or server within a small geographic area 

• Wide Area Network (WAN) - A geographically dispersed 
telecommunications network that may be privately owned or rented, but 
the term usually connotes the inclusion of public (shared user) networks 

• Hub - A hub is a place of convergence where data arrives from one or 
more directions and is forwarded out in one or more other directions 


7 



• Switch - A switch is a device that channels incoming data from any of 
multiple input ports to the specific output port that will take the data 
toward its intended destination 

• Router - A router is a device or, in some cases, software in a computer, 
that determines the next network point to which a packet should be 
forwarded toward its destination 

Technology has also given birth to innovations such as the Global Information 
Grid, Network Centric Operations, and FORCEnet that are the interconnection of 
networks comprised of these components and their secure operations. As the DoD 
explores these innovations and networks, risks associated with the security of information 
in one component or system increases the likelihood of a weakened DII. Significant 
breaches in the information infrastructure can reduce the likelihood of success of any 
military engagement. As stated in the DITSCAP, “information and processes must be 
protected to ensure an appropriate level of confidentiality, integrity, availability, and 
accountability and to ensure that Defense operations are not disrupted and DoD missions 
are accomplished [8].” The DITSCAP helps protect the infrastructure by implementing 
DoD’s information assurance (lA) policy, assigning responsibilities, and prescribing 
procedures. 



Figure 1. Information Infrastructure [From: 8] 

8 

































































C. C&A AND POLICY 

Certification and accreditation dates back to the early 1970’s when the DoD and 
Government agencies initiated procedures to regulate security and to evaluate 
information systems [12]. “In August 1992, the OSD directed the Defense Wide 
Information Systems Security Program (DISSP) to create a standardized set of 
requirements for accreditations of computers, systems, and networks” [8]. DISSP formed 
a working group to develop the process. The working group implemented guidance from 
following policies to create the DITSCAP: 

• DoD Directive 5200.28 

• Public Law 100-235 

• OMB Circular A-130 (Appendix III) 

• DoD Directive 5220 and DCID 1/16 

The following paragraphs highlight the relationship of these policies to the DITSCAP. 

1. DoD Directive 5200.28 

DoD Directive 5200.28 (Security Requirements for Automatic Information 
Systems (AISs), dated March 21, 1988, applied to all AISs that collected, stored, 
transmitted, or processed classified, sensitive unclassified, or unclassified information 
[13]. This directive further employed the life cycle management approach for computer 
security, a key reflected in the DITSCAP’s approach to information security. 

In October 2002, DoD Directive 8500.1 replaced DoD Directive 5200.28 
(Security Requirements for Automated Information Systems (AISs)) dated March 1988, 
DoD Directive 5200.28-M (ADP Security Manual) dated January 1973, and DoD 
Directive 5200.28-STD (DoD Trusted Security Requirements for Automated Information 
Systems) dated December 1985. DoD Directive 8500.1 stated that “information assurance 
requirements shall be identified and included in the design, acquisition, installation, 
operation, upgrade, or replacement of all DoD information systems in accordance with 10 
U.S.C. Section 2224, Office of Management and Budget Circular (OMB) A-130, 
Appendix III, DoD Directive 5000.1 (references (a), (j), and (k)), this Directive, and other 
lA-related DoD guidance, as issued” [14]. DoD 8500.1 established policy and 
responsibility under the Defense Information Assurance Program. Included in the policy 
was the mandate of the DoD to establish a minimum set of security controls for major 


9 



applications and general support systems. A security plan was also required. The DoD 
Instruction 8500.2 of 2003 implemented policy, assigned responsibility, and prescribed 
procedures for applying integrated, layered protection of the DoD information systems 
and networks under DoD Directive 8500.1 [15]. This instruction provided 

implementation guidance and security controls for ensuring the confidentiality, integrity, 
non-repudiation, and availability of information. Furthermore, this directive discussed 
how the DoD would enforce lA through a defense in-depth (DID) approach. DID is a 
physical and logical structure that requires a layering of security policies, procedures, and 
technology mechanisms to protect network resources, from the desktop to the enterprise, 
within and across the enterprise architecture [16]. Layered defenses include, but are not 
limited to, the installation of lA policy protections complementing the use of proxy 
services, firewalls. Intrusion Detection Systems (IDS), implementation of Demilitarized 
Zones (DMZs), redundant filtering policies across devices, and access control and 
accountability [16]. 

2. Public Law 100-235 

The second policy implemented by the DISSP in creating the DITSCAP was 
Public Law 100-235. Also termed the “Computer Security Act of 1987,” this law created 
a means for establishing the minimum acceptable security practices for improving the 
security and privacy of sensitive information in federal computer systems [17]. In 
addition, this law empowered the National Institute of Standards and Technology with 
establishing procedures for federal systems that process unclassified data. 

3. OMB Circular A-130 (Appendix III) 

The third policy used to create the DITSCAP was OMB Circular A-130 Appendix 
III. This Appendix “established a minimum set of controls to be included in Federal 
automated information security programs; assigned Federal agency responsibilities for 
the security of automated information; and linked agency automated information security 
programs and agency management control systems established in accordance with OMB 
Circular No. A-123” [18]. This policy established the Systems Security Plan (SSP) where 

pertinent information concerning lA of the system is to be documented. The DITSCAP 
followed this same approach; however, it documented the system lA data in the System 
Security Authorization Agreement (SSAA). 

10 



4. DoD Directive 5220 and DCID 1/16 

The final policies used to create the DITSCAP were the combination of the 
Director of Central Intelligence (DCID) 1/16 and DoD Directive 5220. “DCID 1/16 
applied to all U.S. Government organizations, their commercial contractors, and Allied 
governments that utilized Automated Information Systems (AIS) and networks to 
process, store, and transmit U.S. foreign intelligence and counterintelligence information 
that has been classified pursuant to Executive Order 12356 [19].” Furthermore, DCID 
1/16 aimed to improve the security of intelligence processed in AISs. DCID 1/16 and 
DoD 5220 required that the systems and networks that process intelligence be accredited. 
The ultimate goal was to ensure that classified information was protected from 
compromise. 

D. DEFINITIONS 

What is meant by the terms “certification” and “accreditation?” According to 
DoD Instruction 5200.40 (DITSCAP), certification is a security analysis of administrative 
procedures, information systems, and communications. The DITSCAP states that 
accreditation is a declaration by the Designated Approving Authority that an Information 
Technology (IT) system is approved to operate in a particular security mode using a 
prescribed set of safeguards with an acceptable level of risk [2]. This means that having 
accredited systems further ensures that the security posture of the DII is maintained. 

E. THE CERTIFICATION AND ACCREDITATION PROCESS 

The certification and accreditation process contains four phases: Definition, 
Verification, Validation, and Post Accreditation. Each phase contains tasks, activities, 
and inputs to those activities. 

1. Phase 1: Definition 

The definition phase is the first phase of the process. During this phase, the four 
key roles agree on the intended mission, security requirements, certification and 
accreditation boundary, schedule, level of effort, and required resources [8]. Its activities 
include verifying the system mission, describing the environment and architecture, 
identifying the threat, defining the levels of effort, and recognizing the key participants of 
the system [8]. The SSAA, the agreement between the key roles, is generated during this 
phase. Furthermore, it contains all information regarding the C&A efforts of the system. 


11 



The tasks outlined in this phase allow the key participants to obtain a good understanding 
of the system and their tasks. This stage is critical in the process because it sets the tone 
for the C&A of the system. Figure 2 illustrates how the task, activities, and inputs of 
Phase 1 interact with each other. 


(A 

o 

> 

o 


< 



4. Describe environment 12. Approve Phase 1 

and threat draft 

5. Describe system 
architecture 

6. Determine Security 
Requirements 

7. iD organization and 
resources 

8. Tailor DiTSCAP and 
work pian 

9. Draft SSAA 


Figure 2. Phase 1 Task, Activities, and Inputs Diagram [From: 8] 

2. Phase 2: Verification 

The second phase in the process is the verification. Figure 3 illustrates the 
arrangement of the task, activities, and inputs of Phase 2. The system must comply with 
the requirements of the SSAA. Any changes to the system’s security requirements are 
reflected in the SSAA. Phase 2 activities include verifying security requirements during 
system development or modification, and certification analysis [8]. The tasks listed in this 
phase allow the key participants to reconfirm the requirements identified in Phase 1. This 
phase is critical because if the requirements are incorrect, delays in certification can 
occur. For example, a change in the system boundary could impact the cost and schedule 


12 


































initially agreed upon by the key roles. Phase 2 tasks force the key roles to address 
changes early in the life-cycle process. The task, activities and inputs are illustrated in 
Figure 3. 


& 


3 

a 

c 


u 

< 


iR 

i2 


SSAA from Phase 1, 
Systems Documents, 
Configuration Control 
Plans, etc 



Phase 2: Verification 


Life-Cycle activity 



1. System Architecture 
Analysis 

2. Software Design 
Analysis 

3. Network 
Configuration Rule 
Compliance 

4. Integrity Analysis of 
Integrated Products 

5. Life Cycle 
Management Analysis 

6. Security 

Requirements Validation 
Procedures 

7. Vulnerability 



Yes 


t 

Updated SSAA 



Phase 3 
Validation 


No 



Figure 3. Diagram of Phase 2 Task, Activities, and Inputs [From: 8] 

3. Phase 3: Validation 

The third phase in the process is validating system compliance with the SSAA 
requirements in the operational environment. Figure 4 depicts the relationship of the 
entities comprising in this phase. The objective of this phase is to obtain approval from 
the DAA to operate that system at an acceptable level of risk. This phase consists of 
multiple analyses and evaluations such as Security Test and Evaluation (ST&E), 
TEMPEST, COMSEC, management analysis, and many more to ensure that the system 
operates as prescribed in a specified computing environment with an acceptable level of 
risk [8]. 


13 






























The results of these tasks are documented in the SSAA. The certifier must 
evaluate each task for completeness and determine if the operational system is consistent 
with the approach stated in the SSAA [8]. The key participants continuously update the 
SSAA as details evolve during validation. The certifier recommends accreditation of the 
system to the DAA when all the tasks are satisfactorily completed. 

As discussed, tasks outlined in this phase require the key participants to test the 
system for remaining vulnerabilities. The goal is to identify these vulnerabilities and 
mitigate them. This phase is important because a vulnerability that is not identified 
weakens the DII if exploited. The tasks, activities and inputs are illustrated in Figure 4. 




a 

c 


SSAA from Phase 2, 
Test, Procedures and Site 
Information 



Phase 3: Validation 


v: 



Evaluation 

2. Penetration Testing 

3. TEMPEST and 
RED-BLACK 
Evaluation 

4. COMSEC 
Compliance 
Evaluation 

5. System 

Management Analysis 

6. Site, Accreditation 
Evaluation 

7. Contingency Plan 
Evaluation 

8. Risk Management 
Review 




Phase 4 Post 
Accreditation 


Figure 4. Diagram of Phase 3 Task, Activities, and Inputs [From: 8] 

4. Phase 4: Post Accreditation 

The fourth phase is the post accreditation phase of the system. It begins after the 
system is accredited and becomes operational. The necessary steps (depicted in Figure 5) 


14 





























outlined in this phase ensure that accreditation is maintained throughout the systems life 
cycle. An acceptable level of risk must be maintained throughout the life cycle of the 
system. Moreover, the system must comply with the requirements established in the 
SSAA. Activities associated with post accreditation are the maintenance of the SSAA, 
system operation, security operations, configuration management, and compliance 
validation. The tasks identified during this phase assure the DoD that the security of the 
system is maintained, ultimately maintaining the security posture of the DII. The task, 
activities and inputs are illustrated in Figure 5. 


.t 

w 

< 


I/; 

C3 

H 


SSAA from Phase 2, 
Test, Procedures and site 
information 



System 

Oprations 


Security 

Operations 


t 

!. SSAA Maintenance 

2. Physical, Personnel & 
Management Control 
Review 

3. TEMPEST Evaluation 
COMSEC Evaluation 

5. Contingency Plan 
Maintenance 

6. Configuration 
Management 

7. System Security 
Management 

8. Risk Management 
Review 


Phase 4: Post Accreditation 



Yes 


Compliance 

Validation 


Phyiic 


1. Site and Physical 
Security Validation 

2. Security Procedures 
Validation 

3. System Changes and 
Radical Impact 
Validation 

4. System Architecture 
and System Interface 
Validation 

5. Management 
Procedures Validation 

6. Risk Decisions 

\/aliHafton 


Yes 



Phase 1, 
Definition 


Figure 5. Diagram of Phase 4 Task, Activities, and Inputs [From: 8] 

F. KEY ROLES 

Four key roles play a major role in the certification and accreditation of the 
system. The four key roles are the Program Manager, Designated Approving Authority, 
Certifying Authority, and User Representative. Each role may have individuals 


15 

























supporting them in fulfilling their responsibilities which vary by phase. Table 1 [8] 
summarizes the management’s responsibilities of the key roles per the phase of the 
DITSCAP. These individuals interact to complete the task and activities of the four 
phases of the process. 


MANAGEMENT RESPONSIBILITIES BY DITSCAP PHASE 

Phase 

Program Manager 

Designated 

Approving 

Authority 

Certifying 

Authority 

User 

Representative 

1 

Initiate security dialog with 
DAA, CA, and user 
representative. (“Register” 
the system.) 

Designate the CA 


Document Mission 
Need Statement. 


Define system development 
schedule and budget. 

Define system 

accreditation 

requirements. 

Define system 

certification 

requirements 

Validate security 
requirements 


Define security requirements 



Define and/or 
validate system 
performance, 
availability and 
functional 
requirements 


Define and/or validate 
system performance, 
availability and functional 
requirements. 





Determine certification level. 

Approve 

certification level 

Validate 

certification level 



Determine system class. 

Approve system 
class 

Validate system 
class 

determination 



Support DITSCAP tailoring 
and level of effort 
determination. 



Support drafting of 
the SSAA 


Draft or support drafting of 
the SSAA. 

Support drafting 
of the SSAA 

Draft or support 
drafting of the 
SSAA. 

Reach agreement on 
the SSAA 


Reach agreement on the 

SSAA 

Approve the 

SSAA. 

Reach agreement 
on the SSAA 


2 

Review the SSAA. 

Review the SSAA 

Review the SSAA 

Review the SSAA 


Refine SSAA as required 

Approve the 
refined SSAA 

Refine SSAA as 
required. 

Refine SSAA as 
required. 


Provide to the CA the 
following: 

• Mission Statement 

• Environment 
description 

• Architectural 
changes 


Incorporate 
mission statement, 
environment 
description, and 
architectural 
changes into 
certification 
analysis tasks. 



Support the system 

Monitor 

Monitor 

Participate in 


16 




MANAGEMENT RESPONSIBILITIES BY DITSCAP PHASE 

Phase 

Program Manager 

Designated 

Approving 

Authority 

Certifying 

Authority 

User 

Representative 


development effort and 
monitor progress 

development 

activities. 

development 

activities 

development 

activities 


Support the Phase 2 
certification analysis tasks 

Monitor the 
certification 
analysis activities. 

Conduct the Phase 

2 certification 
analysis 

Support the Phase 2 
certification 
analysis tasks 


Review certification results. 

Review 

certification 

results. 

Prepare 
certification 
results report 

Review certification 
results. 


Modify systems as required. 




3 

Review the SSAA. 

Review the SSAA 

Review the SSAA 

Review the SSAA 


Refine SSAA as required 

Approve the 
refined SSAA. 

Refine SSAA as 
required. 

Refine SSAA as 
required 


Conduct system testing. 

Monitor the 
system tests 

Monitor the 
system tests. 

Participate in the 
system tests 


Support the Phase 3 
certification analysis tasks 

Monitor the 
certification 
analysis activities. 

Conduct the Phase 

3 certification 
analysis tasks. 

Support the Phase 3 
certification 
analysis tasks. 


Review certification results. 

Review 

certification 

recommendation 

and the 

accreditation 

package 

Prepare 
certification 
results report, and 
certification 
recommendation 

Review certification 
results. 


Assemble the accreditation 
package and submit to DAA. 

Issue accreditation 
letter 


Maintain the SSAA, 
and the 
accreditation 
documentation 

4 

Review SSAA periodically 

Review SSAA 
periodically. 

Provide support as 
mutually agreed 

Review SSAA 
periodically 


Operate the system as 
described in the SSAA. 

Establish re¬ 
accreditation 
requirements. 


Operate the system 
as described in the 
SSAA 


Table 1. Management Responsibilities by DITSCAP Phase [After: 20] 

G. SUMMARY 

This chapter provided the reader with an overview of the DITSCAP and how it 
came into being. Furthermore, the four policies in which the DITSCAP implemented 
were discussed and figures illustrating the relationship between the tasks and activities of 
each phase of the process were presented. 


17 




THIS PAGE INTENTIONALLY LEFT BLANK 


18 



III. THE DITSCAP AS A PROCESS 


A. INTRODUCTION 

The mechanics of the DITSCAP have received considerable attention from both 
policy makers and practitioners. Unfortunately, though, practice does not always follow 
theory, and many organizations continue to experience difficulty in following the 
DITSCAP as it is prescribed in the instruction. One source of such adversity is that 
practitioners fail to understand that the DITSCAP is a process, one that fosters 
information assurance. “The DITSCAP establishes a standard process, set of activities, 
general task descriptions, and a management structure to certify and accredit information 
technology (IT) systems that will maintain the security posture of the Defense 
Information Infrastructure [2].” 

This chapter provides a systematic approach for thinking of the DITSCAP as a 
process. First, it defines a general process in broad terms and illustrates how this 
definition relates to that of the DITSCAP. Second, it maps important characteristics and a 
significant feature of general processes to that of the DITSCAP. 

B. FRAMEWORK 

In any process, the roles and responsibilities of the key participants are more than 
offering up good ideas at the earlier stages, but adhering to them throughout the process. 
A process is defined as a series of actions, changes, or functions bringing about a result 
[21]. The intended result of the DITSCAP is to maintain information assurance and the 
security posture of the DII [8]. It requires that key participants go through a series of 
tasks and activities to certify and accredit systems and maintain accreditation throughout 
the life cycle of the system. 

The advantage of following a process is that it provides a framework for 
personnel to use. The process provides a roadmap for the participants to follow. The four 
phases of the DITSCAP tasks and activities are its framework as discussed in Section II 
of this paper. 


19 



C. GOALS 

Though a framework is important, defining the goals of the process is equally as 
important. A goal is defined as “the objective or purpose toward which an endeavor is 
directed [21].” “Probably the most important function of a goal is that it directs and 
motivates the team. Without a common goal, the individual goals, each being unique, will 
have to be followed, since there is no other guidance [22].” 

Goals are important to the success of any process. The goal (objective) of the 
DITSCAP is “to establish a DoD standard infrastructure-centric approach that protects 
and secures the entities comprising the DII [2].” Successful establishment of goals is one 
metric that separates good processes from bad ones. In this context, the DITSCAP is a 
good process because its goal was successfully established. The establishment of goals is 
important to any process; however, ensuring that the goal is useful is just as important. 
One way to accomplish this task is to ensure that the goal is measurable, realistic, clear 
and specific, and mutually understood [9]. 

1. Measurable 

Measurability of the process goals is the first characteristic and is important 
because measurability provides management with a tool to determine if progress has been 
made in achievement of the goal. In addition, process goals are used to guide the 
participants in a direction and assist in controlling and correcting process performance 
[23]. The DITSCAP requires that a certification and accreditation plan be developed and 
included in the SSAA. This plan includes cost and schedule data and supporting resource 
requirements that provide a mechanism for measuring progress of the process throughout 
the lifecycle. Additionally, by aligning phases of the DITSCAP with the lifecycle 
milestones, milestone decision authorities can include information gained from the end- 
of-phase refinement of the SSAA to their decision process for determining if the system 
is ready to move to the next milestone. 

2. Realistic 

Realistic goals are ones that are attainable. This is the second characteristic of a 
good process. “Creating goals that are not attainable will only dampen the spirits of the 
participants, thus goals should be set to consider time, skills, money, and resources 


20 



available to the team [23].” The DITSCAP goal possesses this characteristic as 
illustrated by the hundreds of systems that have been successfully accredited by this 
process. 

3. Clear and Specific 

The third characteristic of a good process goal is that it must be clear and specific. 
“Clear goals are usually short in length and stated best in one phrase [23].” The implicit 
goal [objective] of the DITSCAP is to be a standard approach that protects and secures 
entities of the DII. The objective is clear and specific and has been achieved by various 
services and agencies on numerous systems. 

4. Mutually Understood 

The final characteristic of a good process goal is that it must be mutually 
understood. Process participants need to understand the process goals and realize their 
stake in them [23]. This DITSCAP goal is achieved as a result of the efforts of many 
government and civilian organizations to provide mechanisms for familiarizing the DoD 
with the DITSCAP. DoD published an implementation manual, DoD 8510.1-M [8], 
presenting a detailed approach to activities comprising the C&A process. The Defense 
Systems Agency (DISA) established an Information Assurance Support Environment 
web portal that makes the DITSCAP and the information necessary to implement the 
DITSCAP, available to everyone. Through this site one can obtain answers to specific 
DITSCAP-related questions to further assist in applying the process goals. There are 
other websites, compact disks, formal courses, and computer-based training that are 
available where participants obtain information on the DITSCAP. All of these sources 
provide a means that ensures that it is mutually understood. 

D. PROCESS MANAGEMENT 

With the characteristics of a process goal defined, and references made to 
illustrate those of the DITSCAP, there exists a significant feature of a process that is also 
common to the DITSCAP. This feature is process management. 

Process management is defined as the management of a collection of activities 
that lead to the accomplishment of the ultimate goal of the process [24]. A common 
characteristic of a process is that it has activities and tasks associated with it. In fact, 
organizations may have many processes that interact with each other, thus making them 


21 



harder to manage. The DITSCAP is no different in that it also incorporates activities and 
tasks in its structure. These tasks vary in size and complexity. For example, a simple task 
of the DITSCAP is registering the system being certified and a complex one is drafting 
the SSAA to capture the entire certification and accreditation effort. Processes also have 
stopping points where decisions must be made before moving to the next activity in the 
process. These decision states are part of process management. The DITSCAP 
incorporates process management by including decision points in each phase as 
illustrated by the diamond shaped symbols in Figures 2-5. For example, in the Phase 1 
(Definition), the decision point is placed after negotiation activity. This decision point 
questions whether the key roles have agreed on the level of C&A effort that will be 
required for the system. In addition, it is at this decision point where the key roles agree 
on their roles and responsibilities and ensure that the SSAA accurately describes the 
system. If an agreement is not achieved, negotiation continues. If an agreement is made, 
then the SSAA is adopted and Phase 2 (Verification) is commenced. 

Task and activities and decision points that lead to the ultimate goal are also 
incorporated in the other phases of the DITSCAP. For example, in Phase 2 the key roles 
use the tasks and activities associated with the certification analysis of each development 
and integration milestone to determine if the results deviate from what is stated in the 
SSAA, thus a significant deviation may result in the DITSCAP returning to Phase I [8]. 
Should the results reflect stated criteria as written in the SSAA, the key roles commence 
activities and tasks of the next phase. 

E. SUMMARY 

This chapter provided the reader with a better understanding of the relationship of 
the DITSCAP to that of any general process. Often key participants fail to realize that the 
DITSCAP is a process that has a variety of task and activities incorporated throughout its 
phases, each of which contains decision points where the key roles decide if the 
certification efforts should advance to the next phase or not. These activities, tasks, and 
decision points comprise the roadmap by which the key roles execute and manage the 
process, thus ensuring that the goal of the DITSCAP is achieved. 


22 



IV. STUDY RESULTS 


A. STUDY METHODOLOGY 

This DITSCAP study involved the collection of data relative to the key 
participant’s certification and accreditation (C&A) experiences and observations. The 
ease in the design and the conduct of the study resulted from understanding that the 
DITSCAP is a process. As stated in the previous chapter, goals are essential to the 
success of a process. Hence, the clarity of the DITSCAP goals allowed for the facile 
generation of the study questions. Moreover, the potential answers to these questions 
were presented for the extraction of the key participants’ behaviors in the application of 
the process. 

The study was conducted in two parts: survey (Appendix) and interviews. Both 
survey and interview were further broken into two parts: demographics and DITSCAP 
experiences. 

In order to obtain data on the application of the DITSCAP, the target audience 
had to be identified. In this case, the target audience comprised personnel involved with 
the DITSCAP’s four key roles (Designated Approving Authority, Certifying Authority, 
Program Manager, and User Representative) and those who support these roles. They 
will be referred to collectively as key participants. With the target audience identified, 
key participants at various commands in the Army, Navy, Air Force, and Marines were 
requested via phone and email to take the survey and asked to solicit additional key 
participants also interested in taking the survey. The survey was web-based, thus making 
it easy for participants to forward this request containing the survey link to as many key 
participants as possible. Though it was difficult to determine if the survey was actually 
forwarded to other key participants, it was as several known key participants stated that 
they had complied. This increased the survey distribution and maintained anonymity. 
Individuals had the option of taking the survey on-line, unknowingly to the surveyor, or 
participating in a phone interview conducted by the author of this thesis. In all cases, no 
personal information was collected. 


23 



B. DEMOGRAPHICS 

The demographics portion of the survey asked general organizational background 
questions about respondents and the number of systems certified and accredited. For 
example, the survey posed questions about the participant’s years of experience, number 
of systems certified and accredited, and branch of service. These types of questions were 
used to extract patterns by service, role, and experience. 

The experience portion of the survey asked questions concerning the respondents' 
past and current experiences in using the DITSCAP to certify and accredit information 
systems. The participants were asked to respond to a number of questions in various 
areas to include their work relationship with other participants involved in the process 
and avenues taken to solve problems. A text-entry comment box was located at the end of 
the survey for participants to contribute whatever additional information they deemed 
relevant. 

The second part of the study was conducting interviews. Interviews were 
conducted to compliment the findings of the survey and to further gain a personal account 
of the participant’s experiences. The interview began with the same demographic 
questions asked in the survey. Next, the participants were asked supplemental questions 
on their experiences with the DITSCAP. The objective was to capture as much 
information possible on past and current accounts of the participants C&A experience. In 
most cases, the interviews were conducted by telephone because of funding shortfalls for 
travel. 

Of the 34 people who were given the opportunity to participate in the study, 19 
responded. This is a 56% response rate, which is acceptable according to Earl Babbie, 
“Survey Research Methods.” For those who participated in both parts of the study 
(survey and interview), the results have been counted only once. The results of the study 
are presented in two parts: demographics and themes revealed. The first part is a display 
of the demographics of the participants involved in the study. These demographics 
include figures that exhibit the branch of service, years of experience, and number of 
systems certified and accredited by the respondents. Demographics are important in 


24 



the credibility of the respondents surveyed and interviewed and to establish trends. The 
demographics of the participants in this study are described in Figures 6 through 8. 


Study Sample 



Branch 


Figure 6. Branch of Service 

Figure 6 indicates the distribution of the respondents by Service. 


25 





































Years of Experience 


0) 

■D 

C 

o 

Q. 

(/) 

0) 

OC 



Years 


Figure 7. Years of Experience 

The years of experience distribution of the participants in the study illustrates that 
the average was two years of experience in certification and accreditation. 


Systems Certified and Accredited 


c 

0) 

■D 

c 

o 

Q. 

(0 

o 

cc. 

75 

o 



Number of Systems 


Figure 8. Systems Certified and Accredited 
26 































































Figure 8 illustrates the number of systems certified and accredited by the 
participants of the study. This figure includes individuals who were surveyed and 
interviewed and illustrates that over 200 systems were certified and accredited by the 19 
participants. 

C. DEMOGRAPHIC ANALYSIS 

The demographics of the study suggest that a wide audience participated in the 
study. This audience had over 70 years of combined C&A experience. In addition, the 
analysis of the demographic revealed that there was a fairly even distribution of the 
participants from each of the four services and an even distribution of experience. 
Distribution across the services is important because each service has a different culture, 
which ultimately affects its views and understandings. This study aimed to gather inputs 
across the entire target audience and the demographic data collected supports this goal. 

D. EXPERIENCE ANALYSIS 

The second part of the presentation focuses on the recurring themes that were 
gathered from the study. These themes are insufficient resources, lack of leadership, 
redundant documentation, and inadequate training. These themes were revealed during 
the descriptive statistical analysis of the survey compilation and during an evaluation of 
the data from personal interviews. 

Each of these themes is presented and analyzed in sections E -H below. A 
consolidated solution is offered in section I. 

E. THEME 1: INSUFFICIENT RESOURCES 

1. Problem 

The first theme revealed by the data was that many organizations have inadequate 
resources, such as personnel and money, to meet the requirements of the DITSCAP. 
Over 50% of the respondents cited staffing shortfalls as an impediment in generating 
SSAAs. Additionally, in another interview, a respondent stated, “Our organization lacks 
the necessary staff to maintain secure systems while at the same time the manpower 
required to generate a SSAA for each of our many different system configurations.” This 
respondent further stated that one of the primary concerns of the organization was to 
secure its information systems and a secondary concern was to generate an SSAA for 
each system configuration. This “securing the system first” attitude is commonly 


27 



witnessed at local commands where the systems are small and less complex; however, for 
larger commands that have more complex systems, this attitude usually does not exist. 
These types of large commands have a number of people supporting each of the key 
roles. For example, one of the responsibilities of a PM is to assess the risk associated 
with operating the system, and one respondent in the study reported that four people 
supported the PM in adhering to this responsibility. 

As one can see, C&A requires a commitment of resources that can vary by 
program. Some programs are larger than others and thus require an additional level of 
effort. The complexity of the system can increase the level effort. For example, the 
Security Test and Evaluation (ST&E) is an analysis of the safeguards needed to protect 
the system. Depending on the complexity of the system, there could be one or many 
people performing this task. Achieving a balance between information availability and 
information security is a challenging task for any organization, but using the DITSCAP 
assures that information in the system is protected. The DITSCAP is an enabler of 
information security and its success hinges on a sufficient number of people to fulfill its 
requirements, such as generating the SSAA. 

The lack of personnel was not the only element identified in the first theme of 
inadequate resources, the lack of money was the other. Participants in the study cited 
insufficient funds as the greatest hindrance to a successful application of the DITSCAP. 

The survey posed the following: “Cost required to alleviate the risks of the system 
played little in the decision to authorize the system for use.” Figure 9 clearly illustrates 
that the respondents mostly disagreed with the statement. Cost was considered by some in 
the decision to authorize the system for use; however, this suggests perhaps that risk was 
a higher concern. 


28 



Costs 


(/> 

c 

a> 

■o 

c 

o 

Q. 

(/> 

a> 

cc 

"(5 

4-» 

o 



Disagree Mostly Neutral Mostly Agree Agree 

Disagree 


Figure 9. Cost as a Factor in Authorizing the System for Use 


Participants further noted that lack of money prevented the organization from 
purchasing the necessary tools needed to meet the objective of certifying the system for 
use as outlined in the DITSCAP. Tools in this context are referred to as those that aid the 
key participants as they fulfill the requirements of Phase 1 through 3. The problem is that 
the DITSCAP lacks these tools. Some respondents did state that the procurement of 
Phase 4 tools, which allows the key participant to securely operate their systems, is 
needed. Though widely available, these tools are expensive. Nevertheless, they are quite 
useful when certifying and accrediting an information system. When asked if they used 
tools in the DITSCAP, 100% of the participants in the study said “yes.” Figure 10 
illustrates some of the common tools used by the participants. The participants were able 
to select multiple choices. 


29 


































Tools Used 


(/> 

c 

a> 

■o 

c 

o 

Q. 

(/> 

a> 

oc 

"(5 



Xacta eMass RMS Security Other Tools 

Scanners 


Tools 


Figure 10. Usage of Tools in Certifying and Accrediting Systems 


One respondent in an interview further stated that a web-based tool is needed to 
automate the process of routing the SSAAs between commands and subcommands. 
Automated web-based tools would be helpful because they decrease the time needed to 
route SSAAs requiring the DAA’s approval. Typically when a command disapproves an 
SSAA containing errors from one of its subcommands, the SSAA is mailed back to the 
subcommand for revision and resubmitted to the parent command when changes are 
made. The process continues until all errors are eliminated, and the system is approved 
for operation. Depending on the amount of errors contained in the initial SSAA and the 
speed of the mail system; this could be a fairly long process. Web-based tools would 
automate this process, thus decreasing the time needed to approve the SSAA. The SSAA 
is one of these documents whose length most often increases as the complexity of the 
system being certified and accredited increases. Hence for complex systems, the SSAAs 
contain multiple appendices and enclosures and could be over 200 pages in length. A tool 


30 

































would provide commands with the ability to review SSAAs for correctness via the web. 
Changes can be made more rapidly as the subcommand would not have to wait for the 
SSAA to be routed back from the parent command. 

Note that lack of resources was not only identified as a concern in this study, but 
in a General Accountability Office (GAO), then General Accounting Office study of the 
DoD agencies’ abilities to provide adequate information security controls as well. GAO 
report number 04-376, to congressional members, revealed that 75% of the major 
agencies it surveyed stated that funding and staffing issues were the most common 
challenges and obstacles in certifying and accrediting information systems [25]. These 
concerns were stated in 2004, well after the events of 9/11 which further emphasized the 
importance of the DoD compliance with the DITSCAP. The significance of 9/11 is that it 
emphasized the importance of information sharing between many agencies, both local 
and foreign, in order to prevent terrorists from conducting malicious activities or harm to 
the United States. As this information is shared, the DII must be protected through C&A 
that ensures that the information is reliable. Moreover, these concerns were stated one 
year after the DoD spending on information technology security increased from $2.7 
billion in fiscal year 2002 to $4.2 billion in fiscal year 2003 [25]. A conclusion could be 
drawn from the GAO report and study conducted as part of this thesis that a lack of 
adequate funding for information security inhibits compliance with DITSCAP. 

2. Solution 

It is the author’s contention that sufficient resources should be provided to 
accomplish the tasks and activities of the DITSCAP. The local lA staffs are 
overburdened as they attempt to mitigate emerging security threats. It should be noted 
that most staffs contain an Information Assurance Manager (lAM) whose primary job is 
not that of being an lAM; the lAM position is a collateral duty. Moreover, this person 
may have many other collateral duties such as protecting the operational system from 
emerging threats and reviewing audit trails. This leaves little time for the lAM to 
complete the DITSCAP tasks. Contracting certain aspects of the DITSCAP such as 
updating the SSAA could reduce some burden placed on the lAM, but this requires an 
adequate amount of available funding. In addition, the complexities of an increased 
workload are such that, until or unless organizations are infused with sufficient resources. 


31 



they will continue to operate in the “catch-up” mode. Also, organizations with limited 
staffs could use resources to employ additional personnel. The resource needs are critical 
and must be addressed if organizations are expected to provide proper security for their 
information systems. 

Another recommendation is to provide tools that commands could use in C&A. 
Resources could be used to purchase tools that could identify system vulnerabilities and 
verify proper system configuration. In this context, the term “tools” includes a wide 
variety of devices, such as a security scanner, RMS, or Xacta IA Manager software. In 
addition, these tools vary in price as a security scanner could cost as little as $49 or as 
much as $300. Some tool suites are as much as $8000. Participants continuously stated 
that tools could be used to decrease the time required to complete the task and activities 
required in the DITSCAP. For example, the Security Test and Evaluation (ST&E) is 
required during Phase 3 (Validation). It includes an examination of the safeguards 
needed to protect the system. Tools such as scripts or test procedure writing software 
would decrease the time needed to perform this task, thus allowing key participants to 
focus on other areas in the application of the DITSCAP. In the long run saving time 
could potentially save resources. 

F. THEME 2: LACK OE LEADERSHIP 

1. Problem 

A lack of leadership hinders successful DITSCAP application. Leadership is 
defined as a process by which a manager influences others to accomplish an objective or 
goal [26]. Moreover, leadership is an art by which a manager accomplishes an objective 
or goal by relying on personal attributes such as morals, values, beliefs, knowledge, and 
character [26]. Attributes play a major role in a manager’s ability to fulfill the goals of 
the organization. 

Leadership helps to ensure that everyone at the command understands that the 
DITSCAP fosters information security. One respondent of the study suggested that 
organizational compliance to the DITSCAP would be easy if upper management, (in this 
case, a responsibility of this command’s Information Assurance (lA) Section), stated its 
importance. This issue raised an important question as to what caused leadership to place 

such little emphasis to the DITSCAP. The results of the study suggests that leadership 

32 



fails to understand the need for lA and the policies that require the application of the 
DITSCAP. Hence, a phenomenon is created where leaders are not focused on the 
application of the DITSCAP and thus fail to monitor its compliance. 

2. Solution 

Leadership must be formally trained on the need and importance of applying the 
DITSCAP in an effort to safeguard the DII. Furthermore, they should review and 
understand the policies required for its application. 

G. THEME 3: REDUNDANT DOCUMENTATION 

1. Problem 

The third theme revealed in the data was that the DITSCAP documentation must 
be streamlined. Participants in the study revealed several areas of the DITSCAP that 
require redundant documentation. For example, in July 2000, Trusted Computer 
Solutions, Incorporated, analyzed the DITSCAP and its supporting documentation and 
found that both the Concept of Operation (CONOPS) and the Information Systems 
Security Policy portion of the SSAA required key participants to describe the system to 
be certified, thus capturing the information twice. 

2. Solution 

DITSCAP documentation should be streamlined to eliminate redundancy. 
Processes in which multiple documents are generated are susceptible to information 
redundancy. A good approach to follow is the one taken by Trusted Computer Solutions, 
Incorporated (TCS), which mapped the information content of the DITSCAP’s 
supporting documents to one other. 

TCS is a software vendor that provides products to the DoD according to the 
requirements of the DITSCAP. In July 2000, TCS released a report that outlined 
redundancies in DITSCAP documentation. The study began with a display of all 
documents that supported the DITSCAP and illustrated the relationship of these 
documents to one other. Figure 11 displays their findings. 


33 




Figure 11. Relationship between DITSCAP Documents [From: 27] 


TCS further mapped these documents to one other based on their information 
content. Figure 12 illustrates how “The benefits of the interpreted documentation set 
include elimination of redundancy and grouping of information in a more beneficial 
manner [22].” 


34 




















Figure 12. TCS Interpretation of Documents [From: 27] 


The TCS analysis indicated repetitious information contained in numerous 
supporting documents that the DITSCAP should eliminate. The report also suggested that 
future documents produced in support of the DITSCAP should be continuously examined 
to identify and to eliminate recurring and repetitious information. 

H. THEME 4: INEFEECTIVE TRAINING 
1. Problem 

The fourth theme reveled by the study was that ineffective training hinders 
successful application of the DITSCAP. Effective training enables everyone to 
understand the requirements of the DITSCAP. 


35 
















Training 



Figure 13. Training 

Figure 13 illustrates that 53% of the respondents received formal DITSCAP 
training. Formal training is defined as a course of instruction that entails specific learning 
objectives and is conducted outside of the workplace [28]. The remaining 47% of 
participants stated that they did not receive formal training but understood the importance 
of receiving some type of training. This remaining 47% did however receive on-the-job 
(OJT) training. Furthermore, 25% of participants also stressed that the DITSCAP training 
should not be limited to restating DITSCAP requirements, but should focus on its 
application. There is a wide variety of commercial and DoD training tools available that 
enable commands to train their personnel on the DITSCAP. However, these tools do not 
discuss its application. Omitting the application of the DITSCAP in its training fosters an 
environment where key participants misinterpret the task and activities outlined in the 
DITSCAP. These misinterpretations can be by the CA, DAA or any other key role or 
supporter involved in the process. 


36 



























The CA is responsible for evaluating technical and non-technical security features 
of the information system. This includes multiple detailed analysis of the system or 
component to include security testing, penetration testing, contingency plan evaluation, 
and a risk management review 

To accomplish these tasks, the CA must have extensive knowledge in technical 
areas such as operating systems, router configuration, database management systems, etc, 
or have a certification team with extensive knowledge. The CA also must consider how 
the system or component interacts with other systems or networks or the DII to ensure it 
does not jeopardize others systems or networks. “Even while focusing on a single 
security component of the system, the certifier must keep the larger system context in 
mind and be able to understand the impact and side effects of that component on overall 
system security [29].” For example, the certifier may attempt to accomplish the 
penetration testing task and in doing so, focus more on outsider penetration testing than 
on insider. The CA may also recommend to the DAA that the system be accredited. The 
results are an accredited system that is vulnerable to insider attacks. The National 
Security Telecommunications and Information Systems Security Instruction (NSTISSI) 
No. 4015, National Training Standard for System Certifiers, outlines the minimum 
requirements for the certifier’s education and training. The DoD agencies should use 
these standards with their respective local guidance to train certifiers effectively before 
these individuals are allowed to be certifiers in the DITSCAP application. 

The DAA has similar tasks and responsibilities that are crucial to certifying and 
accrediting the system. Training is just as important to the DAA as it is to the CA. Once 
again, failure to emphasize training creates misunderstandings in implementation policies 
and procedures. 

The DAA, based on recommendations from the CA determines whether to 
accredit the system. The DAA’s tasks include designating the CA, defining systems 
accreditation requirements, approving certification level, approving confidentiality, 
integrity, and availability requirements, support drafting of the SSAA, and monitoring 
development activities. 


37 



To accomplish these tasks, the DAAs must understand the role of the CA, and 
others key to the process. In addition, the DAAs must realize that, in order to make 
informed decisions, they must depend on these key participants to provide accurate 
information. The National Security Telecommunications and Information Systems 
Security Instruction (NSTISSI) No. 4012, National Training Standard for System 
Designated Approving Authority, which outlines the minimum training requirements, 
should be used with agency instruction to ensure that the DAAs are fully trained. 

2. Solution 

The final recommendation is to provide adequate training to everyone involved 
with the DITSCAP process. Training is vital for the successful application of the 
DITSCAP as it reduces or eliminates misinterpretation problems. The study revealed that 
most participants understood the goals of the DITSCAP, but thought that the applications 
of it led to misinterpretation. Participants in the study further stated that lack training 
posed problems in certifying and accrediting their information systems. These comments 
suggest that achieving the goals as currently set forth by the DITSCAP are unrealistic. 
Training should be inserted in the officer or enlisted members Professional Military 
Education (PME). Eurthermore, training should also be added to the Defense Acquisition 
University (DAU) course matrix. This university provides practitioner training, career 
management, and services to enable the acquisition technology, and logistics community 
to make smart business decisions and deliver timely and affordable capabilities to the war 
fighter [30]. Graduates of the DAU will be involved in the acquisition of the systems that 
must comply with the DITSCAP. If they had a better understanding of the process, they 
would be more likely to ensure programs under their purview complied. Broadening the 
audience of those with an understanding of the DITSCAP also increases the likelihood of 
compliance. 

I. CONSOLIDATED SOLUTION 

Four themes and their potential solutions were provided in the previous 
paragraphs. An important aspect of this research is to consider a holistic solution, vice 
individual solutions. Furthermore, an integrated in-depth analysis of the problems 
coupled with certain aspects relating to Knowledge Management (KM) may help to 


38 



potentially mitigate all of these problems. The following discussion examines the 
problem, reviews basic assumptions, and proposes a macro-level solution as follows: 

• Problem: Two problems exist: 1) policy makers need the DoD to comply 
with the DITSCAP and 2) DoD components have identified four themes 
(listed in previous paragraphs) that prevent them from fully complying 
with the DITSCAP. 

• Assumptions: The first assumption is that additional resources will not be 
available due to budgetary constraints. This fiscal reality is caused in part 
by a number of challenges that the federal government currently faces 
such as Global War on Terrorism, Operation Iraqi Freedom and many 
more. The second assumption is that cultural differences exist within DoD 
personnel and that attitudes and behaviors towards the DITSCAP are not 
shared. The final assumption is that there is no incentive for organizations 
within the DoD to comply with the DITSCAP which decreases the chance 
of command acceptance. In this context, incentives are referred to 
command or individual awards provided for exceptional services in 
DITSCAP compliance. 

• Solution: A Community of Interest (COI) needs to be established. A COI 
is “a group of people connected to each other by a need to solve common 
problems, develop skills and share common practices [31].” This COI 
should consist of members from various commands, centers such as the 
Center for Information Systems Security Studies and Research at the 
Naval Postgraduate School, squadrons, battle groups, and battalions who 
fill a key role or support the key roles, preferably the PM or CA. 
Moreover, the group should be empowered to make decisions concerning 
DITSCAP initiatives and to suggest policy. COI objectives are to: 

• Build a shared vision 

The COI will establish this vision by collecting, consolidating, and fusing input 
from all members. Part of this process entails a conscious effort on behalf of the COI 
members, as they frequently visit commands, to solicit feedback on what the vision 
entails. 


• Foster collaboration 

This is accomplished by the COI analyzing current problems with the process and 
generating shared solutions. This will require frequent interaction with organizations that 
have to comply with the DITSCAP in order to incorporate issues and recommended 
solutions. 


39 



• Promote Team Learning 

Communication is essential to ensuring that team learning is accomplished. 
Organizations have to be informed of changes and updates to the DITSCAP. Posting 
DITSCAP information on a website is important , but misinterpretation of the 
information is always plausible. Instead, the COI would provide understanding via 
command visits and direct interaction. “Fly-Away” teams should be created to provide 
“quick looks” at the command’s DITSCAP program. During such assist visits, the COI 
can promote team training by providing personal command training. 

J. SUMMARY 

At the conclusion of this study, it is evident that there is cause for concern relative 
to the DITSCAP compliance. Problems were identified in the form of the four 
aforementioned themes, yet no simple solutions exist. This chapter provides the reader 
with multiple independent and one consolidated solution which would help address the 
shortfalls currently being experienced. 


40 



V. CONCLUSION 


The security of the DII assures the DoD that its global network is protected. 
Unfortunately, the infrastructure has many access points and failure to secure any one of 
them can compromise the network. A compromised network hinders the DoD’s ability to 
obtain and maintain information superiority. Nevertheless, in order to maintain an 
adequate level of information security on the DII, rigid polices and governance 
components must be established. 

DITSCAP standards and procedures provide the means to certify and to accredit 
information technology systems and maintain the security of the DII. However, certain 
elements of the process should be redefined in order to maximize its effectiveness. As 
the DITSCAP transitions to the DoD Information Assurance Certification and 
Accreditation Process (DIACAP), the following recommendations should be considered: 

• Streamline documentation 

• Provide adequate resources 

• Provide tools that support C&A 

• Provide training 

A. LIMITATIONS OF RESEARCH 

Given that the author of the thesis was attempting to work from a participatory 
research framework, where the mass distribution of the survey hinged on the ability of 
the participants to forward request to other personnel involved in the process, there were 
a number of unique challenges and limitations incurred. 

First, the sample size was small as 19 people participated in the study. This small 
sampling size suggests that the personal accounts may not truly reflect the true accounts 
of the whole population of DITSCAP users. However, it is worth noting that the sample 
size contained personnel who were interviewed and these individuals did provide 
valuable information on their personal accounts of the process. 

Second, only one operational command participated in the study, thus the views 
on the application of the process focused more on the DoD’s shore-based command. 
This is important as implementation of the recommendations may omit factors affecting 


41 



these operational commands in certifying and accrediting their systems. For example, a 
deployed ship participates in many underway exercises and depending on the size and 
complexity of the system, certification and accreditation efforts could affect the routine 
of the entire ship. Therefore, the application of the DITSCAP requires careful planning as 
to not disrupt the routine of the ship. 

B. AREAS OF FUTURE RESEARCH 

The conclusions as well as the limitations of this study also bring forth some 
fruitful and interesting possible avenues for research that one may want to probe more 
deeply in the future. 

First, a cost analysis should be conducted to determine resources needed to 
implement the DIACAP. The implementation of any process takes time, money, and 
personnel. As the current DoD budget is over extended, it would be worth examining the 
implications and burden that a new process may cause. Furthermore, the analysis would 
provide policy makers with valuable data should negotiations be required due to possible 
funding decreases to other programs in an effort to support the transition of the DIACAP. 

Second, an implementation plan should be derived to ensure that organizations 
experience a smooth transition to the DIACAP. The DIACAP is expected to be a 
significant first step in the certification and accreditation process for the DoD where tools 
are presented to aid organizations in their efforts to certify and accredit their information 
systems; however, this plan should be incorporated with a management approach that 
details specific actions, time frames, and evaluations measures of the DIACAP. 
Providing general guidance on the DIACAP would not put the DoD in a sound position 
to effectively implement the strategy of the DIACAP, but a plan would ease 
implementation. 

Finally, a web-based process management system should be built that will enable 
parent and sub command to update their SSAAs. It was evident from the study that such a 
tool would enable updates to the SSAAs to be made in real-time, thus eliminating routing 
time. Such a system will aid OSD in ensuring compliance with the DITSCAP (or 
DIACAP) across the entire DoD. 


42 



Information Assurance will continue to be an integral part of our lives in the 
future. C&A protection of the DII is a team effort, and it is hoped that everyone fulfills 
his or her role in protecting the DII because the benefits will be seen for years to come. 
Information security is a key to our future. 


43 



THIS PAGE INTENTIONALLY LEFT BLANK 


44 



APPENDIX. SURVEY QUESTIONS 


1. What branch of service or DoD agency are you or were you affiliated with? 
Check all that apply. 

o Army 
o Air Force 
o Navy 
o Marine Corps 

o DISA (Defense Information Systems Agency) 
o DLA (Defense Logistics Agency) 
o DLI (Defense Language Institute) 
o DMDC (Defense Manpower Data Center) 
o Other _ 

2. How many total years of experience do you have in certification and accreditation 

of information systems?_years 

3. What role did you play or support in the applieation of the DITSCAP 
(Department of Defense Information Technology Security Certification and 
Accreditation Proeess) in certifieation and accreditation of your system(s)? 

o DAA 

o Program Manager 
o Certifier 
o User Representative 

4. Did you tailor the DITSCAP to your system? 
o Always 

o Most of the time 
o Sometimes 
o Rarely 
o Never 

5. Should you have tailored the proeess? 
o Yes 

o No 

6. Did you have any training on the DITSCAP prior to fulfilling your role? 
o Yes 

o No 

Note: If you answered “No” to question number 6, then skip to question number 8. 

7. If yes, did this training help you fulfill duties in your role? 
o Yes 

o No 


45 



8. What activity (s) was least helpful during the application of the DITSCAP and 
why? 

9. What activity (s) was most helpful during the application of the DITSCAP and 
why? 

Note: If you were represented by someone during the Phase I through IV, then skip to 
question number 14. 

10. Were you involved during Phase 1 of the process? 
o Yes 

o No 

11. Were you involved during Phase 2 of the process? 
o Yes 

o No 

12. Were you involved during Phase 3 of the process? 
o Yes 

o No 

13. Were you involved during Phase 4 of the process? 
o Yes 

o No 

Note: If you answered questions 10 through 13, then skip to question number 18. 

14. Was your representative (s) involved during Phase 1 of the process? 
o Yes 

o No 

15. Was your representative (s) involved during Phase 2 of the process? 
o Yes 

o No 

16. Was your representative (s) involved during Phase 3 of the process? 
o Yes 

o No 

17. Was your representative (s) involved during Phase 4 of the process? 
o Yes 

o No 

18. What would you do differently if you fulfilled this role again in certification and 
accreditation efforts of future systems and wanted to increase your chances of 
success in it? 


46 



19. How many site/systems have you played this key role in or been associated with? 

o _of times 

(number of times) 

20. When you were identified as a participant in the C&A process (or in your role) 
which phase was the system/site in? (Check all that apply) 

o I 
o II 
o III 

o IV 

21. Did your organization develop checklists or additional guidance for implementing 
the process? 

o Yes 
o No 

22. Did your organization develop any additional guidance for implementing the 
process? 

o Yes 
o No 

23. Were you able to learn enough technical understanding of the system/site to look 
for vulnerabilities? 

o Yes If Yes Explain:_ 

o No 

24. Explain your technical level of understanding/expertise of software? 

25. Did you attend multiple system/site technical review (CDRs, PDRs, test reviews)? 

o Yes (Approximately, how many_) 

o No 

26. Did you use tools in the C & A (Certification and Accreditation) process? Check 
those that you have used. 

o Xacta 
o eMASS 
o RMS 

o Security scanners 

o Other (Tools Used: _ _ _ _) 

27. What future changes would you find beneficial in the application of the 
DITSCAP? 


47 



28. Leadership supported me in my role in the certification and accreditation efforts: 
o Disagree 

o Mostly disagree 

o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

29. Regular meetings were held by all parties involved throughout the process: 
o Disagree 

o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

30. I relied more heavily on other documents than that of the DITSCAP in my 
certification and accreditation efforts: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

31. The System Security Authorization Agreement was adequately written: 
o Disagree 

o Mostly disagree 

o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

32. Documentation of C & A efforts was held consistently throughout the process: 
o Agree 

o Disagree 
o Unsure 

33. I understood my role in the process and the roles of others: 
o Disagree 

o Mostly disagree 

o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 


48 



34. The system owner was aware that the DITSCAP required the system to be 
certified and accredited: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

35. If you answered “no” (Disagree or Mostly Disagree) to question 32, when did the 
system owner(s) become aware that the system(s) had to be certified and 
accredited? 

36. The role of the Designated Approving Authority was clearly identified during 
implementation of Phase I of the DITSCAP: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

37. The role of the Program Manager was clearly identified during implementation of 
Phase I of the DITSCAP: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

38. The role of the Certifier was clearly identified during implementation of Phase I 
of the DITSCAP: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

39. The role of the User Representative was clearly identified during implementation 
of Phase I of the DITSCAP: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 


49 



40. The Designated Approving Authority was identified during system development 
or modification: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

41. The Program Manager was identified during system development or modification: 
o Disagree 

o Mostly disagree 

o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

42. The Certifier was identified during system development or modification: 
o Disagree 

o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

43. The User Representative was identified during system development or 
modification: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

44. As changes to the concepts of operations occurred they were immediately added 
to the SSAA: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

45. As changes to the system architecture description occurred they were immediately 
added to the SSAA: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 


50 



46. The cost required to alleviate the risks of the system played little in the decision to 
authorize the system for use: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

47. In the case of legacy systems, conversion to the SSAA format was easy: 
o Disagree 

o Mostly disagree 

o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

48. Support of the C&A process by other organizations proved helpful: 
o Disagree 

o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

49 There was a good working relationship amongst stakeholders in tailoring the 
security activities to system development: 
o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

50. What were the certification levels determined for the system(s)? (Check all that 
apply) 

o 1 
o 2 
o 3 
o 4 

51. Upon completion of Phase II, there were documented security specifications: 
o Disagree 

o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 


51 



52. Upon completion of Phase II, there were comprehensive test plans and 
procedures: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

53. Upon completion of Phase II, there were written assurance that all network and 
other interconnection requirements had been determined: 

o Disagree 
o Mostly disagree 
o Neutral (neither agree nor disagree) 
o Mostly agree 
o Agree 

54. Are there any additional comments you would like to make?_ 


52 



LIST OF REFERENCES 


[1] NSTISSI No. 4009. National Information Systems Security (INFOSEC) Glossary, 
Retrieved May 21, 2005 from http://security.isu.edu/pdf/4009.pdf. 

[2] DoD Instruction 5200.40 “DoD Information Technology Security Certification 
and Accreditation (C&A) Process (DITSCAP),” December 1997. 

[3] U.S. Navy Press Releases. “NMCI Preps against Cyber Attacks,” Retrieved June 
13, 2005 from 

http://www.findarticles.eom/p/articles/mi_pnav/is_200107/ai_2179976472. 

[4] Murray, Bill. FCW Media Group “DoD Network Attacks Level Off,” Retrieved 
June 12, 2005 from http://www.fcw.eom/fcw/articles/2000/1204/web-afcea-12- 
08-00.asp. 

[5] Erbschloe, Michael. Trojans, Worms, and Spyware: “A Computer Security 
Professional’s Guide to Malicious Code,” Elsevier Inc, 2005. 

[6] Lyman, Jay. News Eactor Technology News. “In Search of the World’s Costliest 
Computer Virus,” Retrieved June 12, 2005 from 
http://www.newsfactor.com/perl/story/16407.html. 

[7] Fisher, Dennis. E-Week. “Cyber-Attack Cost Down, Says Survey,” Retrieved 
June 12, 2005 fromhttp://www.eweek.com/article2/0,1759,1659974,00.asp. 

[8] DoD 8510.1-M . “Department of Defense Information Technology Security 
Certification and Accreditation Process (DITSCAP), Application Manual,” July 
2000. 

[9] Security Certification and Accreditation 101. Retrieved June 1, 2005 from 
http://www.intranetjournal.eom/articles/200406/ij_06_23_04a.html. 

[10] I-assure. Retrieved April 12, 2005 from http://www.i- 
assure.com/services/diacap.htm. 

[11] Tech Target. What is “Definitions,” Retrieved June 12, 2005 from 
http://whatis.techtarget.com/whome/0,289825,sid9,00.html. 

[12] Malisow, Ben. “DoD-Certified Trusted Systems and You-Part One,” Eebruary 

2000. 

[13] DoD Directive 5200.28 “Department of Defense Trusted Computer System 
Evaluation Criteria,” December 1985. 

[14] DoD Directive 8500.1 “Information Assurance (lA),” October 2002. 


53 



[15] DoD Instruction 8500.2 “Information Assurance (lA) Implementation,” February 
2003. 

[16] Information Assurance. Information Management: “Management of Sub 
disciplines,” Army Regulation 25-2. Retrieved June 12, 2005 from 
http://ia.gordon.army.mi1/iaso/Army/AR25-/main.htm#Defense%20in%20Depth. 

[17] Shore, Dave “Information Security Dictionary,” Retrieved March 3, 2005 from 
http://www.Itsecurity.com. 

[18] Office of Management and Budget Circular No A-130 Appendix III, “Security of 
Federal Automated Information Resources,” November 2000. 

[19] Kahn, Jay J. “Certification of Intelligence Community Systems and Measurement 
of Residual Risks,” Retrieved March 10, 2005 from 

http://philby.ucsd.edu/~cse291_IDVA/ papers/rating-position/Kahn.pdf, March 
2005. 

[20] Marine Corps Project Officers Certification and Accreditation Handbook. 
Appendix C. Retrieved May 21, 2005 from http://akss.dau.mil/docs/certOc.rtf. 

[21] Dictionary.com Retrieved April 24, 2005 from 
http://dictionary.reference.com/search?q=process. 

[22] Hendrix, Greg. “The Importance of Goals to the Success of Work Teams” 
Retrieved May 22, 2005 from 

http://www.workteams.unt.edu/reports/ghendrix.htm. 

[23] Cassidy, Anita and Guggenberger, Keith. “A Practical Guide to Information 
Systems Process Improvement,” 2001. 

[24] QPR. “Process Management,” Retrieved May 9, 2005 from 
http://www.qpr.com/processmanagement/process_management_intro.html. 

[25] Dacey, Robert F. General Accounting Office report 04-376. “Information 
Security: Agencies Need to Implement Consistent Processes in Authorizing 
Systems for Operation,” June 2004. 

[26] Concepts of Leadership Management Modern, Retrieved April 7, 2005 from 
http://www.nwlink.com/~donclark/leader/leadcon.html. 

[27] Welke, Steve. “Streamlining DITSCAP Documentation,” Retrieved April 2005 
from http://www.tcs-sec.com/resources/5resources5_6.html24. 

[28] Google Glossary, Retrieved April 12, 2005 from 
http://www.google.com/search?hl=en&lr=&oi=defmore&q=define:Formal-i-Traini 

ng. 


54 



[29] “A Program for Education in Certification and Accreditation,” Retrieved May 8, 
2005 from http://cisr.nps.navy.mil/wise3/Paper_review/Papers/p23.pdf. 

[30] Defense Acquisition University, “Mission,” Retrieved May 24, 2005 from 
http://www.dau.mil/about-dau/docs/05strat9-301.pdf. 

[31] Training and Doctrine Command, “Lifelong Learning: A Transformation in 
Training, Mindset,” Retrieved 14 June 2005 from 

http://www.tradoc.army.mil/pao/Web_specials/lifelong_learning/intro.htm. 


55 



THIS PAGE INTENTIONALLY LEFT BLANK 


56 



INITIAL DISTRIBUTION LIST 


1. Defense Technical Information Center 
Ft. Belvoir, Virginia 

2. Dudley Knox Library 
Naval Postgraduate School 
Monterey, California 

3. Karen Burke 

Naval Postgraduate School 
Monterey, California 

4. Jim Ehlert 

Naval Postgraduate School 
Monterey, California 

5. James A. LeCounte 
Naval Postgraduate School 
Monterey, California 

6. Mr. Robert J. Carey 
Deputy, DON CIO 
Arlington, Virginia 

7. Dan C. Boger 

Naval Postgraduate School 
Monterey, California 


57 



